Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised FDIC impersonating email:

Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:

We’ve already seen the same IP used in the recently profiled “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware” campaign. Clearly, the FDIC campaign is using the same malicious infrastructure as the US Airways themed campaign.

Once executed, it attempts to phone back to 72.167.253.106:8080/mx/5/B/in (AS26496).

Responding to the same IP are also the following malicious command and control servers:
dentistbook.info
indianfirends.com
indianpolitics.com
insomniacporeed.ru

More malicious URLs are known to have responded to the the same IP in the past, for instance:
hxxp://outsourcingtoindiablog.com/look.html
hxxp://outsourcingtoindiablog.com/top.html
hxxp://outsourcingtoindiablog.com/stream.html
hxxp://indianfirends.com/main.php?s=homepage.index
hxxp://indianpolitics.org/main.php?s=homepage.index&ss=5
hxxp://sabdekho.com/signal.html

[…] thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process […]